feat: mTLS for Manager ↔ Decision Maker communication

[Copilot]

Manager distributes kernel scheduling intents to every DM node; a compromised transport allows arbitrary priority manipulation. This adds opt-in mTLS so both sides authenticate via a shared private CA, while the Manager's external HTTP API (web GUI / Ingress) is left untouched.

Config

New [mtls] block in both manager_config.toml and dm_config.toml (disabled by default):

[mtls]
enable   = true
cert_pem = "..."   # own cert signed by private CA
key_pem  = "..."   # own private key
ca_pem   = "..."   # CA cert to verify the peer

Manager client (manager/client/deicison_maker.go)

• Constructor signature: NewDecisionMakerClient(keyConfig, mtlsCfg) (DecisionMakerAdapter, error) — Fx handles the error naturally.
• When enabled, attaches a *http.Transport with tls.Config{Certificates, RootCAs} and switches all DM endpoint URLs from http:// → https://.

Decision Maker server (decisionmaker/app/rest_app.go)

• When mtls.enable = true, creates a tls.NewListener with ClientAuth: tls.RequireAndVerifyClientCert before handing the listener to Echo. Plain HTTP path is unchanged.

Dependency wiring

• Both manager/app/module.go and decisionmaker/app/module.go expose config.MTLSConfig via Fx so it flows into the client constructor and server startup automatically.

Tests

Five new unit tests in manager/client/:

• disabled path (scheme = http)
• bad cert / bad CA error paths
• enabled path (scheme = https)
• end-to-end mTLS roundtrip against a httptest server using programmatically generated CA + leaf certs with a fixed validity window (2025–2035) for determinism

Docs

README.md gains an mTLS Setup section: trust model rationale, step-by-step OpenSSL commands to create a private CA and sign Manager/DM certificates, config embedding instructions, and a Kubernetes Secret mounting example.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

Adds opt-in mutual TLS (mTLS) to authenticate and encrypt Manager ↔ Decision Maker traffic using a shared private CA, without changing the Manager’s external HTTP API surface.

Changes:

• Introduces [mtls] configuration (cert/key/CA PEMs) for both Manager and Decision Maker.
• Updates the Manager’s Decision Maker client to support HTTPS + client cert auth when enabled.
• Updates the Decision Maker REST app to require and verify client certificates when enabled, plus adds client-side unit/e2e tests and README setup docs.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
manager/client/deicison_maker.go	Adds mTLS-enabled HTTP client creation and switches DM endpoints to http/https based on config.
manager/client/deicison_maker_test.go	Adds unit + end-to-end mTLS tests using generated CA/leaf certs.
manager/app/module.go	Provides config.MTLSConfig via Fx for injection into the DM client.
decisionmaker/app/rest_app.go	Adds mTLS server startup path requiring verified client certs.
decisionmaker/app/module.go	Provides config.MTLSConfig via Fx for injection into REST startup.
config/manager_config.go	Adds MTLSConfig and wires it into ManageConfig.
config/manager_config.default.toml	Documents default (disabled) mTLS config block for Manager.
config/dm_config.go	Adds MTLSConfig to DecisionMakerConfig.
config/dm_config.default.toml	Documents default (disabled) mTLS config block for Decision Maker.
README.md	Adds mTLS configuration snippets and detailed setup instructions (OpenSSL + Kubernetes Secrets).

[ianchen0119]

LGTM